Dependabot Alert: Vite dev server option server.fs.deny can be bypassed when hosted on case-insensitive filesystem

[JennaySDavis]

Severity: HIgh

Summary
Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.

This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.

Patches
Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17

Details
Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.

See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632

By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.

[JennaySDavis]

#167 Acceptance Criteria

Pass/Fail	Description
Pass	Select an active Contractor, can successfully download pdf
Pass	Locate a Contractor that provides or uses prohibited equipment; ability to download pdf is disabled

Comments/Additional Notes
*A minor issue with aria labels was located, affecting the accessibility score. See https://github.com/orgs/GSA/projects/116/views/3?pane=issue&itemId=51527311

Criteria	Score
Performance	98
Accessibility	96
Best Practices	93

[johnbeallgsa]

Thank you! Moving to Done. Bug issue #185 will address the best practices score.